Splunk Search

How to use fields containing semicolons (:) in search command functions?

Path Finder


I am trying to use a variable from my data which has columns as in this example:


Splunk can make simple searches with this variable as in this example:

sourcetype=Splunkish index=sandbox  id=VR00ZN000010188 ep_9:sMeterS:SummationDeliveredL_x10k

But when you want to use this variable in a function, Splunk does not let you do it. Keeping the :s seems to be confusing for Splunk. When Splunk creates the fields for this variable, it shortens it to "SummationDeliveredL_x10k" automatically so that one can use it in the function as below.

sourcetype=Splunkish index=sandbox  id=VR00ZN000010188 | timechart avg(SummationDeliveredL_x10k)

Do we know the reason for this? For my work I have to do some hard-coding to get the outputNames as inputNames, and I do not like to do this hard-coding.

Please let me know if you know a way to handle this situation.

Many thanks in advance!

ps: the data source type is the one recommended by Splunk, as in this example:

2016-01-14T22:55:07Z, event_type=datapoint, model=SPE600, id="VR00ZN000010188", ep_9:sMeterS:DemandDelivered_x10k=0


Hopefully this will get you started.

This may be adjusted overall for this data source by the segmentation type. I think what you want to do is turn off the colon from being a MINOR segmenter character at least at search time on this sourcetype using segmenters.conf. You may be able to change the segementation type (which can be done from the GUI as per this article on setting the search time event segmentation by the web)

I'm no expert in this, but I think fiddling with the search time segmentation type may get you the results you want.

0 Karma

Path Finder

Thank you so much for your advice!

I think I tried what you suggested. I removed ":" from the MINOR segmenters in segmenters.conf. When that did not work I also removed it from the MAJOR segmenters in all lines. It still did not work, even when I restarted splunk. The extracted field name in the Splunk GUI still ignores the part before the ":".

I am not sure what else to try. If you have any other ideas I would love to hear.

.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!